[3.3] curl: Incorrect reuse of client certificates (CVE-2016-7141)
libcurl built on top of NSS (Network Security Services) incorrectly
re-used client certificates if a
certificate from file was used for one TLS connection but no certificate
set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection
with wrong client cert),
this vulnerability was caused by an implementation detail of the NSS
backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
Affected versions:
libcurl 7.19.6 to and including 7.50.1
Reference:
https://curl.haxx.se/docs/adv\_20160907.html
Patch:
https://curl.haxx.se/CVE-2016-7141.patch
(from redmine: issue id 6135, created on 2016-09-12, closed on 2016-10-14)
- Relations:
- parent #6133 (closed)
- Changesets:
- Revision 5d819a07 on 2016-10-14T10:06:05Z:
main/curl: security fix (CVE-2016-7141). Fixes #6135